We just discovered a new malware capable of infesting and controlling many different types of systems. It spreads through the recent highly insecure IoT devices, including Windows, Linux, SOHO routers, and enterprise servers.
Chaos functionality includes the ability to list hosts on the network, access remote applications, and load additional modules. The script can also be used for DDoS attacks as well as stealing private keys by brute forcing them.
Over one month from mid-June through mid-July 2022, “hundreds” of bot infections were found in China and the U.S., representing bots from different IP addresses.
China-based infrastructure is used for command and control. This malware joins the list of malware designed to establish a foothold for an extended period and carry out nefarious activities, such as DDoS attacks or cryptocurrency mining.
With the development of AI, it seems like we’re getting a shift to more programming languages. In operations to evade detection, as well as targeting different platforms simultaneously.
Chaos exploits known security vulnerabilities to gain initial access and subsequently conducts reconnaissance and lateral movement across the compromised network.
Versatility Of Malware
The malware has multiple instruction set architectures, which allows it to operate across these platforms efficiently and increase its potential target base. The threat actor increases the volume of their targets with ease by moving on to a new platform.
Chaos can execute up to 70 remote commands sent from the C2 server. One of which is an instruction to trigger the exploitation of publicly-disclosed vulnerabilities.
An analysis of around 100 samples of the botnet activity found evidence dating as far back as April 2022. The malware targeted not just enterprise servers and large organizations, but also devices that are not regularly monitored.
Evolution Of Kiaji Malware
Chaos is a spin-off of the Go-based DDoS malware, Kaiji. The correlation (which Black Lotus Labs says) is that they both share overlapping codes and functions as well as a reverse shell module. It also has similarities with the previous ByteDance malware called Memo.
The GitLab server located in Europe was one of the many victims of the Chaos botnet. In the first weeks of September, a company statement read. The company identified a string of DDoS attacks aimed at entities spanning gaming, financial services, technology, media and entertainment, and hosting providers. Also targeted was a crypto-mining exchange as well.
The findings come exactly three months after the cybersecurity company exposed ZuoRAT. A new remote access trojan has been singling out SOHO routers and has been behind a sophisticated campaign that has targeted North American and European networks.
Lumen’s Black Lotus Labs director, Mark Dehus, warns that malicious software is rapidly building on the cloud with capabilities similar to the Petya ransomware. It can attack a variety of devices and is positioned to continue accelerating.
